Black Basta Technical Analysis Tile

Case Study

Technical Analysis: Black Basta Malware Overview

January 25, 2023

DOWNLOAD THE FULL ANALYSIS

INTRODUCTION

Quadrant was recently able to aid a client during an organization wide compromise by the Black Basta ransomware group. This group is a “Ransomware as a Service” (RaaS) organization known to target medium and large companies. The following contains an overview of the compromise as it progressed, as well a technical analysis of the malware and techniques observed, ranging from a successful phishing campaign to the attempted ransomware detonation. Although some exact details of the threat actor’s actions are still unknown, the evidence gathered has allowed for inferences into many of the gaps. The names of all clients, all accounts, and some files have been modified for client confidentiality. Indicators of compromise, including malicious domain names, have not been modified. Any log modification has been made to redact client information, break potential links, or for readability.

RELATED TO THIS STORY

The timeline below shows a high-level overview of the incident:

Image
Timeline of events for Black Basta attack

INITIAL ACCESS

The Threat Actor began this attack by compromising a user account at a third-party vendor (TPV). Although little is known to Quadrant about the compromise on the TPV, access allowed for the use of an "info@" account. The use of such an account would have allowed the Threat Actor to pose as the compromised user without creating extra "junk" in the user's inbox which could raise suspicion. Following initial phishing emails, the threat actor continued to submit additional phishing emails to the client via similar account names from different domains. Both samples reached their victims shortly after noon on the 20th of September

The phishing emails contained what was later determined to be "Qakbot," a sophisticated trojan. Following the infection, these hosts began to beacon on out to over 100 IP's using various ports. The client’s Cisco “Advanced Malware Protection” (AMP) detected a connection with one of these IP's over TCP port 2222. Although this did trigger an alert in AMP, the Quadrant ingestion of these logs was not configured, so this did not generate an alert through the Sagan Solution.

The Suricata engine did detect these connection attempts, however no alert was raised by the Packet Inspection Engine. Quadrant monitors companies' ingress and egress traffic using onsite Packet Inspection Engine (PIE) appliances running the Suricata Detection engine. Although many other rulesets are used to screen for malicious activity, Quadrant has custom rules in place to detect SSH over nonstandard ports, such as TCP 2222. These rules did not fire due to the absence of an SSH header in the traffic. One may assume that traffic over 2222 would be SSH traffic, however further analysis of the traffic generated by the Qakbot Sample in the lab shows that this connection was likely HTTPS in nature.

Eventually, the malware was able to find an active C2 server. It took about 35 minutes between initial infection and the first successful communication between a compromised host and the C2 domain. The second stage payload, which was later determined to likely be the penetration testing framework "Brute Ratel," was then downloaded via a connection to an IP from Russia.

PERSISTENCE AND ESCALATION OF PRIVILEGE

Following the compromise of two hosts and gaining a foot hold, lateral movement began. The client's full infrastructure is comprised of three domains: Construction, Commerce, and a Subsidiary. Both initial compromised hosts were in the Construction environment. These domains had shared trust and were connected via VPN tunnels which allowed the threat actor to move freely between domains. 

We believe that multiple methods and tools were leveraged in order to do this. At this point, visibility becomes muddled due to the focus of observation and detection is ingress and egress traffic. However, following the investigation into the recorded logs and the follow-on detailed analysis of malware samples, we can make educated guesses on some of the missing pieces.

Initial lateral movement and the lay of the land was likely conducted using Brute Ratel. This was determined through a review of files found on one of the initially compromised hosts. One file, "zfgufgfvezdnbcvjkzctpvfdj.dll," matches the hash of previously submitted Brute Ratel samples.

Due to the lack of visibility, we were unable to find the initial connection from the two "Patient Zeros" to the local Domain Controller. However, after reaching the local DC, the attacker was able to gain a better lay of the land and observe the presence of the other two domains.  

Initial Command and Control was conducted from "23[.]19[.]58[.]43"[zedorocop[.]com] and "23[.]106[.]160[.]141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew.  For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise. 

Multiple administrative and system accounts were compromised during this incident. One possible explanation for this comes from “Kerberoasting”. This technique was observed in the Commerce environment through a sharp incline of Kerberos requests using RC4 encryption. We do not believe that this was successful in this environment, due in part to the lack of additional signs of compromise specific to this Domain. However, this technique was likely performed on the other two client domains where visibility gaps existed. This is further supported by the source and destination of these requests were cross domain: The source of the “Kerberoasting” was based in the Subsidiary environment and the Domain Controller that was attacked was in the Commerce environment. 

Once administrative access had been achieved, the threat actor also added new administrative accounts to the environment. 

PROPAGATION

Unknown to everyone but the attacker, multiple files were being transmitted throughout the environment:

Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the Black Basta ransomware. Although no sample was able to be provided for the Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.

Two ".bat" files were sent throughout the organization. Both were designed to turn off antivirus and anti-malware software. One does not use any obfuscation and just contains the simple command to stop Cisco AMP Orbital. This could indicate that it was written hastily in order to get it onto the target environments quickly. The other, targeting Windows Defender, required multiple steps in order to view the commands.   

Tox5, which appeared to be a component of Cobalt Strike, as well as Cobalt Strike beacon with the name of "Ticket-5731.xls."

These files continued to replicate throughout the organization though the use of Server qMessage Block (SMB), eventually spreading to almost every endpoint and server in two of the three domains. The attack on the Commerce domain does not appear to have been effective, outside of one host in a training environment. Most hosts in the Commerce environment HAD more restrictions placed on their operating system by default which likely contributed to the lack of success by the threat actors in the Commerce environment. 

EXFILTRATION

Once a file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Suricata logs show that “RClone” was downloaded on the file servers in order to facilitate exfiltration of the logs. RClone is designed to transfer large volumes of data from one host to the cloud with ease. This legitimate program was abused by the attacker to steal client data.  

DETECTION AND RESPONSE

The most critical asset of the Security Operations Center is the human SOC Analyst.  A human can look at the totality of a situation and make a judgement call that no AI or automated process can. From the analyst's perspective, the only alert that was generated and brought to the SOC was a Suricata FTP rule looking for CVE 1999-0911, related to an overflow using the MKD command. This FTP command is defined as "...causes the directory specified in the pathname to be created on the server. If the specified directory is a relative directory, it is created in the client's current working directory."

Although many old signatures are decommissioned or otherwise suppressed, Quadrant leaves some rules in place as "hunting" rules. These are more focused on the overall techniques or "odd" traffic that could be an indicator of compromise. In this case, the analyst investigating the alert observed that this was technically a False Positive, as the command was not used in an abnormal fashion. However, looking at the destination, which had not been previously observed in the environment, the file names (which were quite varied), and the volume of the files outbound, the analyst decided to call the client to err on the side of caution. Had the analyst not conducted their due diligence or had this archaic signature been suppressed, it is highly likely that this compromise would not have been detected until after the encryption process had begun.  The current list of rules developed following this incident can be found in I

The alert was submitted at 18:27 EDT on 9/21/2022. Just over 30 hours after the initial infection.

The client determined it to be out of the ordinary but was unaware of the extent of the compromise. However, during the course of the evening, it became apparent that something was greatly amiss. The following morning, the client’s CISO contacted the Quadrant team to report that there was indeed an active compromise within their environment.

The client provided malware samples from the phishing emails and the analysis began. Threat hunting was conducted within the logs.    A dedicated “out of bands” communications channel was established between Quadrant and the clients.  As more evidence was uncovered, the full threat began to be realized. 

One aspect of the actions taken by the Incident Response team was a live log review. The term "look for anything suspicious" is often a nightmare of a request, because how does one truly define suspicious without a base line. However, with the amount of knowledge of the situation and years of experience on his side, a member of the I.R. team decided to look at the raw logs in real time to see if anything stood out.   Windows Event logs and “clipboard” logs are collected using NXLog Enterprise.  While clipboard logs are not stored on the local host, they are sent to the Sagan Log Analysis Engine for further analysis and retention.  While examining this data, the I.R. team member became aware of the use of RDP by the Threat Actor by observing RDPClip.exe logging that looked, by definition, incredibly suspicious.

Among the many “clipboard” logs observed, "Client.exe -bomb," stood out. Although the full extent of the command was not realized at the time, due to the implied malice it was decided that now was the time to attempt to purge the threat actor.

The Clients response team locked out the accounts that were known to be compromised. However, the threat actor had complete control over the environment. Following the initial attempt to lock out the threat actor, the threat actor retaliated.  This resulted in a catastrophic lockout of the client's staff and administrators.

This was not completely unexpected.   Knowing that there was an ongoing data exfiltration attempt along with a full network compromise with a relatively short “dwell” time, plans had been put into place to restrict all access to the network in order to mitigate and prevent the threat actor from doing more damage.  The client's staff was simply waiting on the “order” to halt the network.

After quick conference between Quadrant and the client, all parties agreed and the decision was made: At approximately 8:45pm on September 22, only 56 hours after the initial phishing email had been opened, the physical cables from between the domains as well as their connection to the Internet were pulled.

Because of the observation, hunting, and superior teamwork between the Quadrant team and the client, only a handful of ESXi servers were encrypted. Had the team not taken action to sever the Internet and domain connections, the encryption command would likely have replicated throughout the Construction and Subsidiary environments. With the assistance of a third-party incident response firm and constant ongoing contact with the Quadrant team, the client was able to slowly, systematically, and safely bring their servers on-line while purging any remains of the threat actor over the course of the next two weeks. 

Ultimately, this was considered a success in defense of the client. But there were many lessons learned. Through the later review of the logging and after-action analysis of the event, more detections rules have been created to better alert on what visibility does exist in this, and many other, client environments. 

TECHNICAL ANALYSIS

INITIAL ACCESS: QAKBOT INFECTION

The two phishing samples provided by the client show two different techniques:

Email response as part of an Email Chain:  "Re: RE: Logistics":

The phishing email came from a legitimate vendor "stoneworkers". The phishing attachment was submitted to the target in a response to an ongoing conversation that was being held between a member of Quadrant’s client and the TPV. The attacker submitted the email from "info[@]stoneworkers[.]org" while posing as "jpeterman[@]stoneworkers[.]org". The email had applicable context and the email chain contains back and forth to another member of the TPV as well.

Cold Email: "Solution for Issue 37":

The phishing email came with no pretext from a site not used by the client. However, it is important to note that the site seems to be owned by a legitimate venture capital group, which may indicate a compromise of their organization or that the email account was spoofed. The attacker submitted the email from "support[@]capitalizedadventures[.]com" while posing as "Jay Peterman". 

From the two phishing emails, both attachments contain similar malware. Only changes to the filenames and corresponding commands were observed between the two.

When downloaded, the initial attachment is a local HTML file. The web page claims to be an adobe site and that the attached document is a PDF which is password protected:

Using the password "abc888" to unzip the attachment, the user is presented with an ISO file. The two samples produced different ISO names:  Claim_Copy_1796.iso and Claim_Copy_5898.iso.

The subdirectories to the fathomed directory, elude, omicron, and shabbily, are all empty as confirmed by navigating to them and running "ls -a" and returning no files. This was verified through "du -h" which resulted in 4.0k size, which is consistent of an empty directory.

When opened in a Windows environment the following is displayed:

Image
Black Basta Screenshot

 

The ISO mounts as a DVD Drive. The "Claim_Copy" shows the icon for windows file explorer. Clicking on these calls the corresponding JavaScript file contained within each iso.

Image
Black Basta Screenshot

 

In both cases the JavaScript files set several variables before running the ".cmd" file contained within the ISO. This is likely done as a method to avoid detection from Log Analysis Engines, such as the Sagan Engine, as well as other monitoring services such as Microsoft's Defender or Sentinel.

Image
Black Basta Screenshot

 

The command is called with echo off, so that no text will be displayed to the user. Ultimately, this CMD file calls the "db" file. In both samples, the "db" file is not a database, but is the actual Qakbot trojan.

Image
Black Basta Screenshot

 

Something interesting to note: the "campus.txt" contains an excerpt from "Through the Looking Glass" by Lewis Carol. This inclusion may be to add easily changeable padding to the ISO. Doing so would allow the easy addition or subtraction of data in order to change the ISO’s hash value without changing any important content of the executables.

Following detonation of Qakbot, the malware copied itself to "$CURRENTUSER\AppData\Roaming\Microsoft\Isoaahffo\djkuuhd.dll," as confirmed by the file's hashes shown below, and sets itself to auto run. Following this, the malware begins to beacon out to hard coded C2 servers. A breakdown of the observed IP’s and their ports can be found in the INDEX A below. This contains over 100 IP’s for potential C2 servers.

Image
Black Basta Screenshot

 

During the initial detonation of 5898, the process imbedded itself into wermgr.exe, the Windows Error Reporting Manager (Process ID 6660).

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

Further analysis of the registry keys added by the sample were able to be decrypted by leveraging the decryption script found at the link "https://github.com/drole/qakbot-registry-decrypt". These show the full path to the dropped file "xjkuuhd.dll" as well as the Qakbot campaign identifier: "obama206."

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

As with the case with other Qakbot investigations, multiple potential IP’s were observed during the testing. During the incident, the first warning sign of compromise came from the victims Cisco Advanced Malware Protection alerting. Cisco AMP detected an attempt to contact "76[.]169[.]76[.]44"[Van Nuys, CA] over TCP port 2222. It is interesting to note that other IP’s were attempted to be reached over port TCP 2222, however, this C2 node was the only IP to return any data over TCP port 2222, which may be why this alert triggered. According to Suricata logs, this was also the first IP that was reached out to via 2222. A later review of the logs revealed that the first attempt to contact the C2 ip’s ("61[.]70[.]29[.]53"[Taiwan]).

Image
Black Basta Screenshot

 

Due to TCP port 2222’s common use as an alternate port for SSH communication, the Malware Analyst recorded a manual SSH connection to the emulated C2 host in order to show the difference between an SSH connection and the connection made by the Malware sample. Evidence suggests that the sample does not communicate over SSH and the communication is consistent with HTTP/S traffic.

Image
Black Basta Screenshot

 

The malware analyst attempted to connect via SSH to the emulated C2 host. Note the first packet from the experimental machine to the emulated C2 device following the 3-way TCP handshake shows header information containing the OpenSSH client information. This was produced manually as an example of an SSH connection while SSH was running on the emulated C2 host on port 2222. An overview of the lab setup and tools can be found in INDEX B.

Image
Black Basta Screenshot

 

While continuing to run the SSH client on the emulated C2 device, the malware was detonated on the VM, we can see that the same packet following the 3-way handshake no longer contains SSH information but is detected as a Client Hello.

Image
Black Basta Screenshot

 

The emulated C2 Server is now running an HTTPS server on TCP port 2222. This PCAP above shows the conversation from the 3-way handshake to the resetting of the connection.

Following observation of the malware samples, we now know that most of the connection attempts to the C2 IP’s are conducted over TCP port 443. Because of the common use of this port, and the use of TLS in these connections, both attempts and the successful connections went undetected by Suricata and Cisco AMP.

Many of the connections over 443 resulted in minimal connections consistent with nothing more than TCP negations.  However, IP’s "119[.]42[.]124[.]18"[Thailand] and "193[.]3[.]19[.]37"[Russia] showed multiple packets and data transferred, including the exchange of TLS certificates. The size and length of connection indicates that the second stage was downloaded from "193[.]3[.]19[.]37"[Russia].

Image
Black Basta Screenshot

 

The largest connection between P0 and the C2 domain. Because of the amount of data outbound, this also may indicate some data exfiltration or interaction with the downloaded second stage from the C2.

POST-EXPLOITATION TECHNIQUES, TACTICS, AND PROCEDURES

COMMAND AND CONTROL

Initial Command and Control was initially conducted from "23.19.58.43"[zedorocop[.]com] and "23.106.160.141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew.  For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise.

Image
Black Basta Screenshot

 

POTENTIAL COBALT STRIKE INSTALLATION - TOX5.EXE

Initial static review of the tox5 sample did not reveal much information, indicators show that this may have the ability to clear event logs.

Image
Black Basta Screenshot

 

A dynamic analysis of "Tox5" shows the malware drops itself in a randomly generated name folder under the "ProgramData" directory and adds itself to a scheduled task.

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

During the lab testing of the tox5 sample, we observed the sample gain persistence through duplication of the sample. This is observed below by comparing the file hashes for "tox5.exe" and "C:\ProgramData\lplshr\basinqt.exe."

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

Although no obvious signs of compromise were apparent to the user of the infected host, a review of the network traffic from the host showed the newly installed program reached out to "gerhiles[.]com", which had been observed during the incident as a Command and Control site.

Image
Black Basta Screenshot

 

Following the resolution of gerhiles[.]com, and the activation of "INetSim" to simulate a website, the PCAP above shows connections were attempted over port 4001.

Image
Black Basta Screenshot

 

Leveraging "netstat -a -n -o" revealed the PID of the service connecting on port 4001. Task manager was then use to reveal the service running on PID 3488, which was renamed instance of Tox5.

Because of the beaconing activity, persistence, and apparent ability to wipe event logs, it is likely that tox5 is a component of Cobalt Strike or similar framework.

LATERAL MOVEMENT: SMB AND RDP

Brute Ratel allows for lateral movement leveraging RPC to create SMB traffic. Although no direct RPC actions were observed, possibly from lack of logging or the method of RPC use, multiple logs throughout the incident show the transfer of files using SMB. Logging shows actions taken by the attacker that were recorded by RDPClip in the form of clipboard logging, indicating the use of Remote Desktop Protocol.[CI1] [SD2]  After the connection to the internet and shared domains were severed, automated processes continued to propagate malware.

Files commonly observed transferred via SMB include:

  • Black Basta Ransomware  "Client_s.exe" and "Client.exe"
  • Cobalt Strike beacon with the name of "Ticket-5731.xls"
  • ".bat" files designed to disable Cisco AMP / Microsoft Defender
    • W.bat
    • Cc.bat
Image
Black Basta Screenshot

 

Clipboard logging Showing the Transfer of Cobalt Strike Beacons using RDPClip:

The first part of the command is below, with the payload redacted for size and ease of readability. This occurred immediately following the clipboard transfer of the command "net stop Cisco AMP".

Image
Black Basta Screenshot

 

Image
Black Basta Screenshot

 

The second encoded Base64 string was not only base64 but also Gziped for size and obfuscation. This shows the decoded and uncompressed data.

Image
Black Basta Screenshot

 

Leveraging the Cobalt Strike payload decoder from Github user "0xtornado" shows that the payloads were sent using the user agent below.

Image
Black Basta Screenshot

 

Additional Files and commands observed transferred detected via clipboard logging:

The following 31 commands were ran between Sep 22, 2022 @ 20:01:39.000 and Sep 22, 2022 @ 20:02:46.000. The syntax indicates these are the commands used to reset the administrative passwords following the attempted lock out of the threat actor.

Image
Black Basta Screenshot

 

According to Google translate, the Russian phrases translate to "bury along the way" and "launch with balloons". This may be direct translations, however adding any additional character following the Russian phrases changes the translation to "Lock on Path", and "launch with balls" respectfully. Also note the use of "-forcepath" and "-bomb".

Image
Black Basta Screenshot

 

A search of Active Directory for users whose passwords never expire, and the last set date while writing to a file for later exfiltration:

Image
Black Basta Screenshot

 

Stopping Cisco AMP /  Disabling Microsoft Defender, these are the same commands as observed in the ".bat" files:

Image
Black Basta Screenshot

 

Transfer and use of Ticket-5731.xls (determined to be Cobalt Strike):

Image
Black Basta Screenshot

 

Url to download "cob_12.dll" and "tox5.exe". Although cob_12.dll was not collected for technical sample, tox5.exe was reviewed:

Image
Black Basta Screenshot

 

Clipboard logging showing the “uninstall” commands for Windows Defender:

Image
Black Basta Screenshot

 

Adding an Admin to ESXi environment:

Image
Black Basta Screenshot

 

Domain Controller detection:

Image
Black Basta Screenshot

 

Connection attempt to a "SH/WEB" domain:

Image
Black Basta Screenshot

 

Command showing the use of "Bitsadmin" to transfer the Black Basta Ransomware:

Image
Black Basta Screenshot

 

Connection from Client by threat actor:

Image
Black Basta Screenshot

 

DISABLING ANTIVIRUS/MALWARE SOFTWARE USING ".BAT" FILES

The two ".bat" files that were sent throughout the organization were both designed to turn off Antivirus and Antimalware software. It is interesting to note that “cc.bat” does not use any obfuscation and just contains the simple command to stop AMP Orbital. This could indicate that it was written hastefully in order to get it onto the target environment.

"cc.bat" is a simple script designed to stop Cisco AMP.

Image
Black Basta Screenshot

 

“W.bat”, on the other hand, has some simple but clever obfuscation in place. When using "vim” or another text editor, the .bat file appears to contain Chinese characters. However, performing "cat" or "strings" reveals the actual data. This uses a mixture of disguising the ASCII as UTF-16 via manipulating the start of the file, as well as obfuscating the data using a simple cypher. The strings of characters following "set" act as the key. When the script is executed, the system will swap out the numbers in the body for the place in the key string. The link from Superuser[.]com in INDEX D goes into more specifics on how this is done.

"w.bat" as viewed through a text editor. For this example, the text editor "vim” was used to open the file:

Image
Black Basta Screenshot

 

"w.bat" as viewed through the bash command "cat":

Image
Black Basta Screenshot

 

After copying and pasting the body of "w.bat" into its own text document "w.txt", the team was able to run a lengthy "sed” command against the file to reveal the below:

Image
Black Basta Screenshot


The sed statement used to decode the body of "w.bat":

Image
Black Basta Screenshot


EXFILTRATION THROUGH RECLONE

Once the file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Over the past several years, multiple cyber security firms and the FBI have posted increased observation of the use of “RClone” to exfil data. Suricata logs show that RClone was downloaded on the file servers in order to facilitate exfiltration of the logs.

Image
Black Basta Screenshot


Suricata Flow log from "Subsidiary PIE" to the IP resolved for “Rclone”. This likely shows the connection containing the download of RCLONE.

Image
Black Basta Screenshot


First connection on Subsidiary PIE to the external file dump:

Image
Black Basta Screenshot


First connection on Construction PIE to the external file dump. (Other logs are available showing the DNS request and download of RClone for the Construction domain as well):

Image
Black Basta Screenshot


ENCRYPTION VIA BLACK BASTA RANSOMWARE

Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the ransomware. Although no sample was able to be provided for Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.

From a static malware analysis review, very little was initially able to be obtained from the sample aside from the ".basta" suffix and a relation to "Fax."

Image
Black Basta Screenshot


Static analysis conducted inside of x32dbg, showing a relation to "FAX" and the potential use of the directory "ProgramData":

Image
Black Basta Screenshot


Upon detonation, running the malware sets itself up as the service "Fax" and enables it to start during safe boot. The ransomware then proceeds to restart into safe mode using bcdedit.exe. BCDEdit is a command line program in windows which is used to modify the “Boot Configuration Data.” While in safe mode, the encryption of files occurs. Once the encryption is complete, the system is then restarted into the standard operating mode.

Image
Black Basta Screenshot


Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which indicates the creation of a Mutex:

Image
Black Basta Screenshot


Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which shows the addition of "Fax" to the registry allowing it to start in Safemode:

Image
Black Basta Screenshot


Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON which shows the use of BCDEdit to restart the host into safemode with networking:

Image
Black Basta Screenshot


Following infection, the host restarts into safe mode where the encryption action takes place:

Image
Black Basta Screenshot


Following the encryption, the computer then restarts into standard mode. The background has been replaced to show "Your Network is Encrypted by the Black Basta group. Instruction in the file readme.txt" the only files still accessible to the user are the "readme" files.

Image
Black Basta Screenshot


During the end state of the active compromise, two flags were observed in Clipboard logging, "-bomb" and "-forcepath". The writeups conducted by "Northwave-Security" and  "Deepinstinct" share more light onto these flags. These show that "bomb" designates a full detonation of all reachable hosts, and "forcepath" is for a specific instance or directory. According to the recent writeups above, this indicates that this is one of the newest renditions of the malware.

We are attempting to better understand the use of the "-bomb" flag and how it communicates with the other infected machines. It is likely that the reason the machine is restarted into safe mode with networking indicates that this communication may occur at this time.

INDEX A: INDICATORS OF COMPROMISE

FILE NAMES AND HASH VALUES

File Name

SHA-256 Hash

Claim_Copy_1796.iso

2cf56e6c050d0c9d8ada6cdb79a8ed2b8bbc25cd7d33ccc79aeedb31b5ad00df

damagesMeaning.js

7a39324822941014609f0fd7d05f1adbbccc3f36d79103e2589251680f3b6c63

centipede.gif

e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3

DecomposedLoners.cmd

cd5b4bd824bad0be78e4cdf6d7fe8a950bd63f294713b8cb49de887d8a8410bc

excite.jpg

4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8

sinkers.db

c4875bd0683467c1e5d44f80b1d5abf6ac9b6f5bf5b6750a1e653416a68ed006

Claim_Copy_5898.iso

474b800fa4f8c2638607b012029cb134b58534e7817fbf3658c9c1d8c78204fa

Claim_Copy.lnk

e2eb9029fd993a9ab386beb7ca4fa21a1871dc0c7568eb802cac1ea3c53cad8b

campus.txt

319704f093b71286985716d87c6fb20d6ddc334be6f1ccc042de8c73f7f5df36

centipede.gif

e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3

clockwatcherMinty.js

14d53c3d675458863ee2b336a4203f680932181ff5db99bb2f1640ffd44947b5

excite.jpg

4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8

meddled.db

4f7d97bf4803bf1b15c5bec85af3dc8b7619fe5cfe019f760c9a25b1650f4b7c

unspoolingPeak.cmd

4b3eb841b765c4aeb6b273e42a60e1f8ba3d3d94c613a27cd6446a354c2b7285

w.bat

4e54d7ed5055bc0e7858d49aaec17bd3ed69e8da94262c6a379ddd81abc31b5e

cc.bat

90e9bd336e51c88002e5e9a109c5fb0e57d2c90cd54d4bc7480b69fa302beb73

tox5.exe

d4dd79c97b091dd31791456c56d727eb0b30af9c0172dd221556d28495b8a50f

Client.exe

5b8bf891808be44f24156cf5430730e610c0df6eaaa4b062623a7a675d234b62

Cleint_s.exe

17eccc7e2ce38dafd41d68861da636d7c05290b95d4fd75ec87b819094702cf6

Zfgufgfvezdnbcvjkzctpvfdj.dll

62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967

 

HARDCODED IP'S OBSERVED FROM QAKBOT SAMPLES

IP

Port Observed

Country

AbuseIPDB Score

1.10.253.207

443

Thailand

0

2.89.78.130

993

Saudi Arabia

0

14.183.63.12

443

Viet Nam

0

27.73.215.46

32102

Viet Nam

0

31.166.116.171

443

Saudi Arabia

30

31.32.180.179

443

France

0

31.54.39.153

2078

United Kingdom

0

37.37.206.87

995

Kuwait

0

37.76.197.124

443

Palestine

0

41.103.226.172

443

Algeria

0

41.105.197.244

443

Algeria

0

41.107.78.223

995

Algeria

0

41.142.132.190

443

Morocco

0

41.69.103.179

995

Egypt

0

41.96.171.218

443

Algeria

0

45.160.124.211

995

Brazil

0

45.183.234.180

443

Brazil

0

45.241.140.181

995

Egypt

0

45.51.148.111

993

United States of America

0

46.116.229.16

443

Israel

0

46.186.216.41

32100

Kuwait

0

47.146.182.110

443

United States of America

0

61.105.45.244

443

Korea (Republic of)

0

61.70.29.53

443

Taiwan

0

62.114.193.186

995

Egypt

0

64.207.215.69

443

Afghanistan

0

66.181.164.43

443

Mongolia

0

68.129.232.158

443

United States of America

0

68.151.196.147

995

Canada

0

68.224.229.42

443

United States of America

0

68.50.190.55

443

United States of America

0

68.53.110.74

995

United States of America

0

70.49.33.200

2222

Canada

0

70.51.132.197

2222

Canada

0

70.81.121.237

2222

Canada

0

71.10.27.196

2222

United States of America

0

72.66.96.129

995

United States of America

0

72.88.245.71

443

United States of America

0

76.169.76.44

2222

United States of America

0

78.182.113.80

443

Turkey

0

81.214.220.237

443

Turkey

0

81.56.22.251

995

Italy

0

83.110.219.59

993

United Arab Emirates

0

84.238.253.171

443

Bulgaria

0

84.38.133.191

443

Netherlands

0

85.114.110.108

443

Palestine

0

85.139.203.42

32101

Portugal

0

85.98.206.165

995

Turkey

0

85.98.46.114

443

Turkey

0

87.220.229.164

2222

Spain

0

87.243.113.104

995

Bulgaria

0

87.75.195.211

443

United Kingdom

0

88.231.221.198

443

Turkey

0

88.231.221.198

995

Turkey

0

88.232.207.24

443

Turkey

0

88.242.228.16

53

Turkey

0

88.245.168.200

2222

Turkey

0

88.246.170.2

443

Turkey

0

88.251.38.53

443

Turkey

0

89.211.217.38

995

Qatar

0

89.211.223.138

2222

Qatar

0

91.116.160.252

443

Spain

0

94.99.110.157

995

Saudi Arabia

0

95.136.41.50

443

Portugal

0

98.180.234.228

443

United States of America

0

99.232.140.205

2222

Canada

0

99.253.251.74

443

Canada

0

100.1.5.250

995

United States of America

0

102.101.231.141

443

Morocco

0

102.184.151.194

995

Egypt

0

102.38.97.229

995

South Africa

0

102.40.236.32

995

Egypt

0

105.105.104.0

443

Algeria

0

105.111.60.60

995

Algeria

0

105.99.80.23

443

Algeria

0

109.155.5.164

993

United Kingdom

0

109.200.165.82

443

Yemen

0

110.4.255.247

443

Japan

0

113.22.102.155

443

Viet Nam

0

118.174.200.169

995

Thailand

0

118.216.99.232

443

Korea (Republic of)

0

118.68.220.199

443

Viet Nam

0

119.42.124.18

443

Thailand

0

119.82.111.158

443

India

0

123.240.131.1

443

Taiwan

1

134.35.9.144

443

Yemen

0

138.0.114.166

443

Brazil

0

139.195.132.210

2222

Indonesia

0

139.195.63.45

2222

Indonesia

0

141.164.254.35

443

Saudi Arabia

0

151.234.63.48

990

Iran (Islamic Republic of)

0

154.181.203.230

995

Egypt

0

154.238.151.197

995

Egypt

0

154.246.182.210

443

Algeria

0

156.213.107.29

995

Egypt

0

156.219.49.22

995

Egypt

0

160.152.135.188

2222

Nigeria

0

160.176.204.241

443

Morocco

0

167.60.82.242

995

Uruguay

0

169.1.47.111

443

South Africa

0

171.238.230.59

443

Viet Nam

0

171.248.157.128

995

Viet Nam

0

173.218.180.91

443

United States of America

0

176.42.245.2

995

Turkey

0

177.255.14.99

995

Colombia

0

179.108.32.195

443

Brazil

0

179.223.89.154

995

Brazil

0

179.24.245.193

995

Uruguay

0

180.180.131.95

443

Thailand

0

181.111.20.201

443

Argentina

0

181.118.183.123

443

Argentina

0

181.127.138.30

443

Paraguay

0

181.231.229.133

443

Argentina

0

181.56.125.32

443

Colombia

0

181.80.133.202

443

Argentina

0

181.81.116.144

443

Argentina

0

182.213.208.5

443

Korea (Republic of)

0

184.82.110.50

995

Thailand

0

184.99.123.118

443

United States of America

0

186.105.182.127

443

Chile

0

186.120.58.88

443

Dominican Republic

0

186.154.92.181

443

Colombia

0

186.167.249.206

443

Venezuela (Bolivarian Republic of)

0

186.50.245.74

995

Uruguay

0

187.205.222.100

443

Mexico

0

188.157.6.170

443

Hungary

0

189.19.189.222

32101

Brazil

0

190.158.58.236

443

Colombia

0

190.44.40.48

995

Chile

0

190.59.247.136

995

Trinidad and Tobago

0

191.254.74.89

32101

Brazil

0

191.84.204.214

995

Argentina

0

191.97.234.238

995

Argentina

0

193.3.19.37

443

Russian Federation

0

194.166.205.204

995

Austria

0

194.49.79.231

443

United States of America

0

196.112.34.71

443

Morocco

0

196.92.172.24

8443

Morocco

0

197.11.128.156

443

Tunisia

0

197.204.243.167

443

Algeria

0

197.49.50.44

443

Egypt

0

197.94.84.128

443

South Africa

0

201.177.163.176

443

Argentina

0

210.195.18.76

2222

Malaysia

0

211.248.176.4

443

Korea (Republic of)

0

212.156.51.194

443

Turkey

0

219.69.103.199

443

Taiwan

0

220.116.250.45

443

Korea (Republic of)

0

 

ADDITIONAL IP'S OBSERVED

IP

Domain

Country

Abuseipdb Score

23.106.123.13

NA

Singapore

0

23.106.160.141

danimos[.]com

United States of America

0

23.19.58.43

zedorocop[.]com

United Kingdom

0

23.29.115.172

NA

United States of America

0

45.132.226.209

NA

Switzerland

3

45.134.22.54

NA

Italy

0

45.153.241.64

NA

Germany

0

45.61.138.29

NA

United Kingdom

0

45.86.200.21

NA

Netherlands

0

45.86.200.77

NA

Netherlands

0

45.89.242.2

NA

United Kingdom

1

47.87.229.39

temp[.]sh

United States of America

0

64.52.80.212

NA

United States of America

0

78.141.213.249

NA

Netherlands

0

104.194.10.130

NA

United States of America

0

104.243.38.65

NA

United States of America

0

138.199.59.52

NA

Poland

0

146.70.106.61

NA

Netherlands

0

146.70.86.44

gerhiles[.]com

Netherlands

0

151.236.28.34

NA

Netherlands

0

172.93.100.71

NA

United States of America

0

176.10.80.37

NA

United Kingdom

0

176.90.193.145

NA

Turkey

0

185.163.110.124

NA

Romania

0

185.77.218.10

NA

Finland

0

194.37.97.161

NA

United States of America

0

194.5.53.215

NA

France

0

194.5.53.86

NA

France

0

207.229.167.36

NA

United States of America

100

212.30.37.227

NA

Netherlands

0

 

INDEX B: MALWARE ANALYSIS LAB AND TOOL OVERVIEW

The lab environment consisted of three Virtual Machines running inside of VMWare Workstation 16 Pro. The network was configured not to allow any connection to the internet.

HOST 1: ANALYSIS HOST

The analysis host ran the Linux distro "REMnux." Upon startup, an iptables setup script was ran containing all the hardcoded C2 IP’s for the Qakbot malware. This was done in order to all the malware to communicate with the hard coded IP’s without allowing commination to a C2 host.

Image
Black Basta Screenshot


Additional software used during the analysis includes:

Wireshark: Network packet capture and analysis

Inetsim: An "Internet Simulation" tool which creates fake http and other services for malware samples to interact with.

FakeDNS: A fake DNS service which responds with a predetermined IP. Default IP is the host FakeDNS is installed on.

Readpe.py: Used to read Portable Executable files.

HOST 2: EXPERIMENTAL HOST

The experimental host rans Windows 10 build 19041. This host was used for detonation of the malware samples provided by the client.

NXlog is installed on this host. Windows logging is forwarded to Host 3.

Host 1 is configured to be the internet gateway. Aside from the logging connection to host 3, all other connections are forced through Host 1.

Additional software used during the analysis includes:

X32dbg: Interactive debugging program.

Regshot: Captures a "snapshot" of the registry before and after detonation of a sample to observe the changes on the host.

Wireshark: Network packet capture and analysis.

Qakbot Registry Decryption Tool: Used to decrypt Qakbot registry entries.

HOST 3: LOGGING HOST

The logging host runs Debian 11. This host only receives windows logging from Host 2.

Image
Black Basta Screenshot


INDEX C: LIST OF SAGAN RULES DEVELOPED FROM THIS INCIDENT

Rules that were developed following this incident. A full list of Sagan Rules can be found on github.com/quadrantsec/sagan-rules

Rule Name

SID

[CISCO-SECUREENDPOINT] Exploit attempt was detected

5008352

[CISCO-SECUREENDPOINT] Exploit attempt was prevented

5008355

[CISCO-SECUREENDPOINT] Event Engine Detection

5008356

[WINDOWS-CLIPBOARD] Get-ADGroupMember Command

5008362

[WINDOWS-CLIPBOARD] Get-ADUser Command

5008363

[WINDOWS-CLIPBOARD] Service being stopped

5008364

[WINDOWS-CLIPBOARD] Powershell Policy Bypass Command

5008365

[WINDOWS-CLIPBOARD] Disable Windows Defender Command

5008366

[WINDOWS-CLIPBOARD] Disable Realtime Monitoring Command

5008367

[WINDOWS-CLIPBOARD] Uninstall Windows Defender Command

5008368

[WINDOWS-CLIPBOARD] Remoe-exec psexec command

5008369

[WINDOWS-CLIPBOARD] Powershell encodedcommand

5008370

[WINDOWS-CLIPBOARD] rundll32 command

5008371

[WINDOWS-CLIPBOARD] rundll32 command with DllRegisterServer

5008372

[WINDOWS-CLIPBOARD] net commands

5008373

[WINDOWS-CLIPBOARD] net commands

5008374

[WINDOWS-CLIPBOARD] query user command

5008375

[WINDOWS-CLIPBOARD] rwinsta command

5008376

[WINDOWS-CLIPBOARD] nltest command

5008377

[WINDOWS-CLIPBOARD] netstat output v1

5008378

[WINDOWS-CLIPBOARD] netstat output v2

5008379

[WINDOWS-CLIPBOARD] copy from share drive to local C: command

5008380

[WINDOWS-CLIPBOARD] bitsadmin file transfer command

5008381

[WINDOWS-CLIPBOARD] proxychains command

5008382

[WINDOWS-SECURITY] Service being stopped by net command v1

5008343

[WINDOWS-SECURITY] Service being stopped by net command v2

5008344

[WINDOWS-SECURITY] Disable Windows Security

5008347

[WINDOWS-SECURITY] Copied rundll32 command executing non-standard dll

5008348

[WINDOWS-SECURITY] Possible UAC Bypass - Rundll32.exe using DLLRegister

5008351

[WINDOWS-SECURITY] Exfil software rclone detected

5008354

[WINDOWS-SECURITY] A service was installed in the system (powershell)

5008357

[WINDOWS-SECURITY] A service was installed in the system (DllRegisterServer)

5008358

[WINDOWS-SECURITY] A service was installed in the system (rundll32 .xls)

5008359

[WINDOWS-SECURITY] A service was installed in the system (rundll32 public directory)

5008360

[WINDOWS-SECURITY] Blackbasta ransomware file extension detected (.basta)

5008361

[WINDOWS-SYSMON] CMD executed from spool directory

5008345

[WINDOWS-SYSMON] Rundll32 network connection detected

5008346

[WINDOWS-SYSMON] Possible Traversal - File created in Public directory

5008349

[WINDOWS-SYSMON] Possible hidden service installed

5008350

[WINDOWS-SYSMON] Process Injection - Rundll32 remote thread into winlogon

5008353

[WINDOWS-SYSMON] Safeboot Registry Entry - Possible Blackbasta

5008399

 

INDEX D: REFERENCES

-Deepinstinct’s review of similar Black Bast activity
https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence

-Northwaves review of similar Black Basta activity to include the use of Qbot and Ransomware
https://northwave-security.com/en/black-basta-blog/

-VirusTotal results for the file has of zfgufgfvezdnbcvjkzctpvfdj.dll, indicating Brute Ratel
https://www.virustotal.com/gui/file/62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967

-Brute Ratel and the use of PSEexc showing use of SMB for Remote Control:
https://bruteratel.com/tabs/badger/commands/psexec/

-Brute Ratel and RPC Services:
https://bruteratel.com/tabs/badger/commands/services/

-Recent warning regarding use of RCLONE by threat actors "Daixin Team"
https://www.cisa.gov/uscert/ncas/alerts/aa22-294a

-Qakbot Registry Decryption Tool
https://github.com/drole/qakbot-registry-decrypt

-Cybercheif recipe to extract and decode Shellcode from Bobal Strike Beacon
https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97ab

-Decoding of files similar to "w.bat"
https://superuser.com/questions/1676713/how-to-decode-contents-of-a-batch-file-with-chinese-characters

-Quadrant’s Github page for the Sagan Log Analysis Engine
https://github.com/quadrantsec/sagan-rules

For more information regarding this analysis interested parties should contact [email protected]

Image
Tablet with stylus